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\ a method of generating an Authorized Domain (AD), the method comprising 

the steps of 

- selecting a domain identifier (DomainJD) uniquely identifying the Authorized Domain 
(100), 

- binding at least one user (PI, P2, PN,) to the domain identifier (DomainJD), and 
-binding at least one device (Dl, 1)2, DM) to at least one user (PI, P2, ...,PN,), 

- thereby obtaining a number of devices (Dl, D2, DM) and a number of users (PI, P2, 
PN,) that is authorized to access a content item (CI, C2, CN 2 ) of said Authorized Domain 
(100). 

2. A method according to claim 1, characterized in that 

- each device (Dl, D2, DM) may be bound to only a single user, or 

- each device (Dl, D2, . . ., DM) may be bound to several users, where one user is indicated as 
a primary user for that particular device (Dl, D2, . . ., DM). 

■ 

3 A method according to claim 2, characterized in that the method further 

comprises the step of: 

- importing, on a given device pi , D2 DM), at least one content item (CI, C2, . . ., CN 2 ) 

into the Authorized Domain (AD) given by the domain identifier (DomainJD) by 

- automatically binding, by default, the at least one imported content item (CI, C2, . .., CN 2 ) 
to the single user (PI, P2, PN,) that the given device (Dl, D2, DM) is bound to or to 
the user (PI, P2 PN,) indicated as primary user for the given device (Dl, D2, DM), 



or 



- binding the at least one imported content item (CI, C2, CN 2 ) to another user (PI, P2 

25 PN,) using additional information, when non-default binding is to be used. 

4. A method according to any of claims 1-3, characterized in that the method 

further comprises 
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- providing an Authorized Domain (AD) size limitation, where the limitation relates to a 
maximum number of users. 

5. A method according to any of claims 1-4, characterized in that the method 
5 further comprises 

using a user identification device as a personal Authorized Domain (AD) manager, and/or 
using a personal mobile device as a personal Authorized Domain manager, and/or 
using a mobile phone as a personal Authorized Domain manager, and/or 
using a PDA (personal digital assistant) as a personal Authorized Domain manager and/or. 

10 

6. A method according to any of claims 1 - 5, characterized in that the step of 
binding at least one user (PI, P2, . . ., PN0 to the domain identifier (Domain JD) comprises: 
obtaining or generating a Domain Users List (DUC) comprising the domain identifier 
(DomainJD) and a unique identifier (PersJDl, Pers_JD2, PersJDN,) for a user (Pi, P2, 

15 PNt) thereby defining that the user is bound to the Authorized Domain (1 00). 

7. A method according to any of claims 1 - 6, characterized in that 

» 

the step of binding at least one device (Dl, D2, . . DM) to at least one user (PI, P2, . . PN,) 
comprises 

20 obtaining or generating a Device Owner List (DOC) comprising a unique identifier 

(PersJDl, Pers_ID2, PersJDN,) for a user (PI, P2, .... PN,) and a unique identifier 
(DevJDl, Dev_ID2, .... DevJDM) for each device (Dl. D2, .... DM) belonging to the user 
thereby defining that the at least one device is/are bound to the user (PI, P2, . . ., PNi), 
or in that the step of binding at least one device (Dl, D2, DM) to at least one user (PI, P2, 

25 PNi) comprises 

obtaining or generating a Device Owner List (DOC) for each device (Dl , D2, . . ., DM) to be 
bound, the Device Owner List (DOC) comprising a unique identifier (PersJDl, PersJD2, 

. . ., Pers JDNi) for a user (PI , P2, . . ., PN,) and a unique identifier (DevJDl , DevJD2 

DevJDM) for a device (Dl , D2, . . DM) belonging to the user thereby defining that the 

30 device is bound to the user (PI, P2, PN,). 



g A method according to any of claims 1 - 7, characterized in that the step of 

binding at least one content item (C 1 , C2, . . ., CN 2 ) to the Authorized Domain (AD) 
comprises: 
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binding a content item (CI, C2, CN 2 ) to a User Right (URC1, URC2, ... URCN 2 ), where 
said User Right (URC1 , URC2, . . . URCN 2 ) is bound to a user (P 1 , P2, . . ., PNi) bound to the 
Authorized Domain (100). 

5 9. A method according to claim 8, characterized in that the User Right (URC1, 

URC2, . . . URCN 2 ) comprises rights data (Rghts Dat) representing which rights exists in 
relation to the at least one content item (CI, C2, . . ., CN 2 ) bound to the User Right (URCl , 
URC2, . . . URCN 2 ). 

10 10. A method according to any one of the previous claims, characterized in that 

the method further comprises the step of controlling access, by a given device being operated 
by a given user, to a given content item (CI, C2, .. ., CN 2 ), the step comprising: 

checking whether a user, the given content item (C 1 , C2 CN 2 ) is linked to, and a user, the 

given device is linked to, belongs to the same Authorized Domain (AD), and allowing access 

1 5 for the given user and/or other users via the given device to the content item if so, 
and/or 

checking if the given content item (CI , C2, .... CN 2 ) is linked to a user belonging to the same 
Authorized Domain (AD) as the given user, and allowing access for the given user via the 
given device and/or other devices to the content item if so. 

20 

11. A method according to any one of claims 6-9, characterized in that the 

method further comprises the step of controlling access, by a given device being operated by 
a given user, to a given content item (CI, C2, . .., CN 2 ) being bound to the Authorized 
Domain (100) and having a unique content identifier (ContJD), comprising: 

25 checking if the Domain User List (DUC) of the Authorized Domain (1 00) comprises both a 
first user identifier (PersJD), comprised in a Device Owner List (DOC) comprising an 
identifier (DevlJD, Dev2_ID) of the given device, and a second user identifier (PersJD), 

linked to the given content item (CI, C2 CN 2 ), thereby checking if the user bound to the 

given device is bound to the same Authorized Domain (100) as the user bound to the content 

30 item, and 

allowing access to the given content item (CI, C2, . . ., CN 2 ) by the given device (Dl, D2, . . ., 

DM) operated by any user 

and/or 

checking if the Domain User List (DUC) of the Authorized Domain (100), that the content 
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item is bound to, comprises a user identifier (PersJD) of the given user (PI, P2, PNj) 
thereby checking if the given user is bound to the same Authorized Domain (100) as the 
content item, and 

allowing access to the given content item (CI, C2, CN 2 ) by any device including the 
5 given device operated by the given user. 

12. A method according to any of claims 10-11, characterized in that the step of 
controlling access of a given content item further comprises: 

checking that the User Right (URC1, URC2, . . URCN 2 ) for the given content item specifies 
10 that the given user (PI, P2, PNi) has the right to access the given content item (CI, C2, 
. . CN 2 ) and only allowing access to the given content item (C 1 , C2, . . CN 2 ) in the 
affirmative. 

13. A method according to any of claims 1-12, characterized in that every 

1 5 content item is encrypted and that a content right (CR) is bound to each content item and to a 
User Right (URC1, URC2, ... URCN 2 ), and that the content right (CR) of a given content 
item comprises a decryption key for decrypting the given content item. 

14. A method according to any of claims 6-13, characterized in that 

20 the Domain Users List (DUC) is implemented as or included in a Domain Users Certificate, 

and/or 

the Device Owner List (DOC) is implemented as or included in a Device Owner Certificate, 
and/or 

the User Right (URC1, URC2, URCN 2 ) is implemented as or included in a User Right 
25 Certificate, 

15. A method according to any previous claim, characterized by binding at least 
one content item (CI, C2 CN 2 ) to at least one user (PI , P2 FNi). 

30 16 . A system for generating an Authorized Domain (AD), the system comprising: 

means for obtaining a domain identifier (DomainJD) uniquely identifying the Authorized 
Domain (100), 

means for binding at least one user (PI, P2 PN,) to the domain identifier (DomainJD), 

and 
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means for binding at least one device (Dl, D2, DM) to at least one user (PI, P2, PNi), 

thereby obtaining a number of devices (Dl, D2 DM) and a number of persons (PI, P2, 

PNi) that is authorized to access a content item of said Authorized Domain (100). 

- 

5 17. A system according to claim 16, characterized in that 

each device (Dl, D2, . . ., DM) may be bound to only a single user, or 
each device (Dl. D2, .... DM) may be bound to several users, where one user is indicated as 
a primary user for that particular device (Dl , D2, . . ., DM). 

j0 J g A system according to claim 1 7, characterized in that the system further 

comprises means for: 

importing, on a given device (Dl, D2 DM), at least one content item (CI, C2, . . ., CN 2 ) 

into the Authorized Domain (AD) given by the domain identifier (DomainJD) by 

automatically binding, by default, the at least one imported content item (CI, C2 CN 2 ) to 

15 the single user (PI, P2, .. .. PN,) that the given device (Dl, D2 DM) is bound to or to the 

user (PI, P2, PNi) indicated as primary user for the given device (Dl, D2, .... DM), or 
binding the at least one imported content item (CI, C2, CN 2 ) to another user (PI, P2, 
PN,) using additional information, when non-default binding is to be used. 

20 19. A system according to any of claims 16-18, characterized in that the system 

further comprises means for 

providing an Authorized Domain (AD) size limitation, where the limitation relates to a 
maximum number of users. 

25 20 . A system according to any of claims 16-19, characterized in that the system 

further comprises means for: 

using a user identification device as a personal Authorized Domain (AD) manager, and/or 
using a personal mobile device as a personal Authorized Domain manager, and/or 
using a mobile phone as a personal Authorized Domain manager, and/or 
30 using a PDA (personal digital assistant) as a personal Authorized Domain manager. 

21. A system according to any of claims 1 6 - 20, characterized in that the means 

for binding at least one user (PI, P2, PN,) to the domain identifier (DomainJD) is 
adapted to: 
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obtain or generate a Domain Users List (DUC) comprising the domain identifier 
(DomainJD) and a unique identifier (PersJDl, PersJD2, PersJDN,) for a user (PI, P2, 
PNi) thereby defining that the user is bound to the Authorized Domain (100). 

5 22. A system according to any of claims 16-21, characterized in that 

the means for binding at least one device (D1,D2, DM) to at least one user (PI, P2, .... 
PNi) is adapted to 

obtain or generate a Device Owner List (DOC) comprising a unique identifier (PersJDl, 
Pers_ID2, . . ., PersJDN,) for a user (PI , P2, . . ., PN,) and a unique identifier (DevJDl, 
10 Dev_ID2, Dev IDM) for each device (Dl, D2, DM) belonging to the user thereby 
defining that the at least one device is/are bound to the user (PI , P2, . . ., PN,), 
or in that the means for binding at least one device (Dl, D2, . . ., DM) to at least one user (PI, 
P2, .... PNj) is adapted to 

obtain or generate a Device Owner List (DOC) for each device (Dl, D2, DM) to be 
1 5 bound, the Device Owner List (DOC) comprising a unique identifier (Pers JD 1 , Pers_ID2, 

PersJDNi) for a user (PI , P2 PN,) and a unique identifier (DevJDl , Dev JD2, . . ., 

Dev IDM) for a device (D 1 , D2, . . DM) belonging to the user thereby defining that the 
device is bound to the user (PI, P2, PNi). 

20 23 . A system according to any of claims 1 6 - 22, characterized in that the means 

for binding at least one content item (CI, C2, .... CN 2 ) to the Authorized Domain (AD) is 
adapted to: 

bind a content item (C1.C2, CN 2 ) to a User Right (URC1, URC2, ... URCN 2 ), where 
said User Right (URC1 , URC2, . . . URCN 2 ) is bound to a user (P 1 , P2, . . ., PN,) bound to the 
25 Authorized Domain (100). 

24. A system according to claim 23, characterized in that the User Right (URC1, 
URC2, . . . URCN 2 ) comprises rights data (Rghts Dat) representing which rights exists in 
relation to the at least one content item (C 1 , C2, . . ., CN 2 ) bound to the User Right (URC1 , . 

30 URC2, ... URCN 2 ). 

25 . A system according to any of claims 1 6 - 24, characterized in that the system 
further comprises the means for controlling access, by a given device being operated by a 
given user, to a given content item (CI. C2 CN 2 ), where the means is adapted to: 
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check whether a user, the given content item (CI, C2, , . CN 2 ) is linked to, and a user, the 
given device is linked to, belongs to the same Authorized Domain (AD), and allowing access 
for the given user and/or other users via the given device to the content item if so, 
and/or 

5 check if the given content item (CI, C2, . . ., CN 2 ) is linked to a user belonging to the same 
Authorized Domain (AD) as the given user, and allowing access for the given user via the 
given device and/or other devices to the content item if so. 

26. A system according to any one of claims 21-25, characterized in that the 

10 system further comprises means for controlling access, by a given device being operated by a 
given user, to a given content item (CI , C2, CN 2 ) being bound to the Authorized Domain 
(1 00) and having a unique content identifier (ContJD), where the means is adapted to: 
check if the Domain User List (DUC) of the Authorized Domain (100) comprises both a first 
user identifier (PersJD), comprised in a Device Owner List (DOC) comprising an identifier 
15 pevlJD, Dev2JD) of the given device, and a second user identifier (PersJD), linked to 
the given content item (CI, C2, . . CN 2 ), thereby checking if the user bound to the given 
device is bound to the same Authorized Domain (100) as the user bound to the content item, 
and 

allow access to the given content item (CI, C2, CN 2 ) by the given device (Dl, D2, 
20 DM) operated by any user 
and/or 

check if the Domain User List (DUC) of the Authorized Domain (100), that the content item 
is bound to, comprises a user identifier (PersJD) of the given user (PI, P2, PN0 thereby 
checking if the given user is bound to the same Authorized Domain (100) as the content item, 

25 and 

allow access to the given content item (CI, C2, CN 2 ) by any device including the given 
device operated by the given user. 

27 ^ system according to any of claims 25 - 26, characterized in that the means 

30 for controlling access of a given content item is further adapted to: 

check that the User Right (URC1, URC2, . . . URCN 2 ) for the given content item specifies 
that the given user (PI, P2, PN0 has the right to access the given content item (CI, C2, 
. . CN 2 ) and only allow access to the given content item (C 1 , C2, . . ., CN 2 ) in the 
affirmative. 
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28. A system according to any of claims 16-27, characterized in that every 
content item is encrypted and that a content right (CR) is bound to each content item and to a 
User Right (URC1, URC2, . . . URCN 2 ), and that the content right (CR) of a given content 

5 item comprises a decryption key for decrypting the given content item. 

29. A system according to any of claims 20 - 28, characterized in that 

the Domain Users List (DUC) is implemented as or included in a Domain Users Certificate, 
and/or 

10 the Device Owner List (DOC) is implemented as or included in a Device Owner Certificate, 
and/or 

the User Right (URC1, URC2, URCN 2 ) is implemented as or included in a User Right 
Certificate. 

15 30. A computer readable medium having stored thereon instructions for causing 

one or more processing units to execute the method according to any one of claims 1-15. 

■ 

31. An Authorized Domain (AD) characterized in that the Authorized Domain 
(AD) has been generated by the method according to any one of claims 1 - 15 or by the 

20 system according to any one of claims 16— 29. 

32. An Authorized Domain (AD) structure comprising 

a domain identifier (Domain JD) uniquely identifying the Authorized Domain (100), 
a representation of at least one user (PI, P2 9 . .., PNi) bound to the domain identifier 

25 (Domain_ID), and 

a representation of at least one device (Dl, E>2, DM) bound to at least one user (PI, P2, 

...,PN,), 

thereby defining a number of devices (Dl, D2, DM) and a number of users (PI, P2, 
PN,) that is authorized to access a content item (CI, C2, ., CN 2 ) of said Authorized Domain 
30 (100). 



